The Polish Ministry of Digital Affairs recently published a draft lawthat will implement the NIS directive to the Polish legal framework. The draft law opens a new market for cybersecurity services in Poland and will impose new obligations on different stakeholders, including providers of digital services.
Who is covered
According to the draft law, only entities meeting the specified criteria should apply the new law. For example, entities (i) having an organizational unit in Poland; (ii) belonging to the sector or subsector mentioned on the list provided in the appendix the to the draft law; and (iii) those that received a decision of supervisory authority in relation to providing essential services, should be considered “operators of essential services” and therefore should apply the provisions of new draft. The mentioned appendix includes, for example, banks, providers of energy services, air carriers, providers of health care services, railway operators and providers of DNS services.
In addition to categories of entities listed in the appendix, digital service providers, understood as providers of electronic services in the meaning of the Polish law on electronic services, should also apply the new law in the scope the draft specifies. Such entities can be providers of cloud services, or online market places or search engines, assuming they meet the criteria provided in the act on electronic services.
Different obligations for different stakeholders
The draft law provides a list of requirements and obligations that must be met by the entities covered by the draft. In relation to operators of essential services, they should ensure the security of their essential services and the continuity of such services, as well as implement a security management program that complies with the law. They will be also required to appoint a dedicated person responsible for ensuring cyber security. Similar — though lighter — obligations arise for providers of digital services; they should ensure the security of the provided services appropriate to the existing risk, taking into account the latest state of the art. Digital service providers should, for example, specify and take appropriate and proportionate technical and organizational measures to manage the risks to which used systems are exposed.
In addition to the above, there is a broad new requirement that organizations notify various public bodies of security incidents. There are different levels of notification required based on the level of risk that the incident creates. Of course, higher risk incidents come with more obligations for the provider of digital services or the operator of essential services, and failure to notify can lead to financial sanctions.
Outsourcing cybersecurity services
According to the draft law, most of the obligations can be outsourced by the operators of essential services or digital service providers to third party providing cybersecurity services, based on the agreement.
Such providers should, however, meet the criteria provided in the draft law, namely they should have: (i) adequate organizational and technical capabilities to enable cybersecurity for their clients; (ii) have facilities to provide incident response services, secured against physical and environmental hazards; and they should (iii) apply appropriate security measures to ensure the availability, integrity, confidentiality and accountability of processed information.
What’s also interesting, the draft law requires mandatory cybersecurity audits on a regular basis, namely every two years. The audit is to be carried out by an accredited unit and is focused on verification, based on a risk analysis, of whether the operators of essential services “meet the requirements set out in the act.” As the scope of audit is quite general in the current wording of the draft law, the practice will show the approach of the auditors to such audits.
The draft law provides several cases where financial sanctions can be imposed on an entity not following its obligations under the new law. The proposed sanctions for operators of essential services may reach EUR 25,000 in the case of not creating a data security system, or up to EUR 50,000 in cases where infringing the law leads to significant damage or serious impediment to the provision of the service. It seems that in some cases the proposed sanctions are just an addition to sanctions arising from GDPR, or sanctions that can be triggered under the criminal law.
The draft law is now at the stage of public consultations and was sent to various stakeholders, including to chambers of commerce, on October 31. The interested parties have 21 days to provide the Ministry of Digital Affairs with comments and suggested changes to the draft law. According to the publicly made statements of the representatives of the Ministry of Digital Affairs, it is expected that the law will be enacted in spring of 2018.